Microsoft Group Policy – Microsoft Server 2019

What is difference between local group policy and Active Directory Group Policy

The local GPO exists on every windows workstation and server.

AD based GPO are stored in AD and SYSVOL.

The local GPO is processed regardless of whether a machine is domain or workgroup joined.

Local GPO resides in the file system under %windir%\system32\GroupPolicy. You can also create muliple user-specific local GPOs.

Specific local user accounts, All administrators on the system, All non-administrators on the system.

Active Directory based GPOs in Parts.

first part GPC- The AD based portion of the GPO is stored under CN=Policies. CN=system. Referred as the Group Policy container(GPC).

Second part GPT- The file-system based portion of the GPO is stored in SYSVOL under \\<domin>\sysvol\<domain>\policies and is referred to as the Group Policy Template(GPT).

How to open Local Group Policy on command prompt.

Run -> gpedit.msc

How to create AD Group Policy

Microsoft GPMC is the main interface for creating GPOs in AD and we can also use the Microsoft Group Policy Powershell module.

GPOs are created in a given AD Domain. Once created they have no effect until they are linked.

Members of Domain admins and Group policy creator owners can create GPOs in a domain.

GPMC – Group Policy Management Console.

Editing GPOs is simple right-click from the GPO in launch GP Editor.

GPOs can be linked to AD sites

GPOs can be linked to at the domain level.

GPOs can be linked at one or more OU levels.

ADMX files

ADMX file exist in C:\Windows\PolicyDefinitions

The corresponding language specific ADML files provide the description of each policy. In the current language of Windows. There is one ADML file for every ADMX, stored in folders under the ADMX directory (example: en-us).

The ADMX Central Store

Created by copying C:\Windows\policydefinitions to SYSVOL

Restore the default GPOs using command prompt type- dcgpofix

dcgpofix – it will revert back to original default policy

GPO Backup tools – GPMC can be used to backup one or all GPOs in a domain.

We can also script GPO backups using the group policy module and Backup-GPO

Restore GPO Backup policy – right click on GPO – Manage backups

GPO Migration Table – Used when migrating GPOs from one domain or forest to another. Designed to replace security principals and UNC paths that are referenced in source GPOs, with new ones in the destination domain.

Implementing the migration table

Migration tables can be populated : Manually, From live GPO, from a GPO backup.

Migration tables are used when importing a GPO backup into a new GPO ( usually in a different domain).

Limitations in Migration tables:

Only supports mapping legacy security policy area, software installation and folder redirection for UNC path migration. Does not support security principal or UNC path mapping of any GP preferences areas.

Delegation Fundaments

GPO delegation serves two purposes- who can process a GPO and who can read/edit a GPO.

By default all GPOs grant read and apply group policy permissions to authenticated users, which includes all user and computer accounts in the domain.

Delegation can be used to filter which computers and users can apply policy separate from linking of a GPO.

Group Policy Software installation

GP based software installation allow deploy of .MSI packages to computers or users

Packages can be deployed on startup or logon, or when a user clicks a shortcut associated with the package.

Package always install with elevated privileges, even for users.

Package store on UNC path for everyone access that MSI package.
After machine restarted will replicated policy.

Folder Redirection

Lets you redirect key folders ( ex: desktop, documents, pictures) out of the users profile and onto a server share

can be done to the same location for all users or to different locations based on users group memebership.

Ensures local user files are backed up to a server.

Scrips Policy

You can deploy per computer startup or shutdown scripts or per user logon or logoff scrips.

can be any executable batch or powershell script.

Logon scrips run 5 minutes after the user logs on by default in windows 10.

Group Policy preferences Printers and Drive maps

GP preference can set shared TCP/IP or local printers can be defined per computer or per user.

Computer configuration set only local printer- No shared printer option

GP preference can map drivers per user can be specific letter or next available.

GP preference Power option and Custom registry

We can configure power plans and power settings using power options in GP Preferences.

We can configure arbitrary registry entries using GP preferences Registery.

GP Preference file creating on desktop

Computer configuration -> windows settings-> files->New

GP Preference Folder creating on User Desktop